In the example used for the illustration of this concept (see Figure 5.5) it is arbitrarily assumed a Level 4 risk is the maximum reasonable exposure to a dimension of risk for, say, the technical 127
Chap-05.qxd 3/1/05 12:32 PM Page 128
Managing the Risks of IT Outsourcing
IRR unacceptable for average
risk level greater than 4
IRR too low for risk level
(High risk, Low IRR)
4.5
4
Figure 5.5
3.5
A reasonable risk
3
tolerance/exposure
2.5
level could be a
2
IRR is reasonable for risk level
measure of financial
(Low risk, High IRR)
Risk level 1.5
internal rate of
1
return (IRR)
0.5
(example with
0
arbitrary data for
0
5
10 15 20 25 30 35 40 45 50 55 60
illustration only)
IRR
dimension. The IRR estimated would then be about 45%. Should the risk exposure decrease, in this example the IRR would also decline. If the supplier were prepared to take risk exposure up to an arbitrary level of 4, then it would need to be prepared to estimate its financial gains for such a risk exposure before agree-ing to perform the outsourced function. Another way of reviewing the ‘make or buy’ decision entails estimating that the expected economic loss (transaction costs and contractual risks), given optimal contractual risk mitigation that can result from an outsourcing contract, exceeds the expected economic gains (difference in production costs). So long as the risks associated with the outsourcing of any single activity do not have expected losses that exceed the expected gains, then, on average, the organization’s portfolio of activities should be economically neutral.
5.5
Mapping the risk signature
If arbitrary risk dimensions are then taken in the areas of risk, namely strategic, technical, financial, legal, operational, business (overall performance), environmental (business interaction) and informational (access), one view of risk is fairly well represented.
To measure risk sensitivity, a Likert scale on a multidimensional, numeric, empirical index of 0 to 5 is used where 0 represents zero risk and 5, very significant risk. The risk signature (sample in Figure 5.6) can then be used to identify risk type, risk exposure and mix of risks for the organization at that point in time.
Empirical information is available from risk strategies and planning documents. However, this methodology does not provide 128
Chap-05.qxd 3/1/05 12:32 PM Page 129
Risk Interaction in IT Outsourcing
Technical
Strategic
Financial
Informational
Legal
Figure 5.6
The risk profiles of a
typical supplier and
buyer of outsourcing
services show a
Environmental
Operational
high skew toward
the supplier (lower
Buyer
Business
Supplier
risk)
precise measurements. The critical information derived represents relative weightings of the risk in the key dimensions identified. The difference between the risk profile of the supplier versus that of the buyer is already visible from a plot of relative weight differences on each of the identified dimensions. The resultant risk signature for the example used in this book is illustrated in Figure 5.6.
A version of the risk landscape would appear as a risk ‘signature’ for the buyer of outsourcing services. Similarly the risk signature for the supplier could be mapped. What is observed here is that the signature for the buyer is relatively larger than that for the supplier in relation to risk areas that need to be considered. A larger area denotes either a higher probability of risk or a higher loss as a result of the risk experienced. Importantly however, the risk signatures paint a picture of the relative risks along the risk dimensions, allowing for subsequent analysis and management.
5.6
Evaluation dimensions
The data for the supporting dimensions will be derived from the supplier proposals and the organization’s executives. The preparation of the weighting criteria would, however, need to be accomplished as part of the development of the assessment tool. The weights applied to the different evaluation elements needed to be reasonable and applicable to the organization, its industrial sector and the IT function.
129
Chap-05.qxd 3/1/05 12:32 PM Page 130
Managing the Risks of IT Outsourcing
Probability of occurrence
Severity level
Frequent
Probable
Occasional
Remote
Improbable
I
High
II
III
IV
Low
Risk 1
Undesirable and requires immediate attention Risk 2
Undesirable and requires corrective action, but some management discretion allowed Risk 3
Acceptable with review by management
Risk 4
Acceptable without review by management
Source: US Government Accounting Office, ‘Information Security Assessment – Practices of Leading Organizations’, June 1999
Figure 5.7
The risk tolerance levels from the relationship between the probability of occurrence and severity levels
In Figure 5.7, there are four risk types that have been highlighted for the simplicity of illustration. The resultant matrix when the probability of occurrence (likelihood) is mapped against the severity level (potential impact) defines the organization’s risk portfolio (US Government Accounting Office, 1999). What it reveals also is the risk tolerance boundary for the organization. This imaginary boundary lies roughly at the bor-der between risk 2 and risk 3. This concept can then be trans-posed to the risk profile where all the risk exposure elements are already plotted.
The potential impact on the business would logically form the weighting for the evaluation items. This is also proportional to the risk exposure. The revised approach takes into account the proposed methodology already used in industry.
The dimensions for measurement would also need to be considered. Given the objectives of the outsourcing exercise for the organization, the basic outsourcing services as well as the business transformation work need to be compiled to show the benefits that would accrue from this exercise. The basic outsourcing of the IT function would derive from infrastructure (e.g. hardware, operating systems and databases) and applications (software that perform business functions). The additional value that is sought after, however, lies in the transformation of the organization through the best practices delivered by the (world class) supplier. The transformation practices would be viewed from a systems and business integration perspective. Systems integration would deliver both the traditional services (including familiarity and ability to deliver the infrastructure to operate the business) and new directions (including new architecture for IT
components, processes and functions). The business integration 130
Chap-05.qxd 3/1/05 12:32 PM Page 131
Risk Interaction in IT Outsourcing
advantage would come from the supplier’s understanding of the organization’s business and business process re-engineering skills.
5.7
Analysing risk with the RDS
The analogy of a risk landscape alluded to in this chapter represents the rich mix of risk dimensions assembled to show the interaction of risk exposure experienced by both the supplier and buyer of ITO services.
As discussed earlier, the RDS is based on various risk analysis frameworks. These risk analysis framework methods are constructed from the measurement of loss and the probability of loss.
The grouping of risks along risk dimensions provides a stage on which risks of a similar nature can be brought together. As was discussed earlier, this implies that the impact of minor variations in measurement as a result of uncertainties in probability of loss magnitudes will be reduced.
With the ability to group risks, the RDS is formulated to illustrate the various dimensions in which risks become manifest in the ITO exercise. The variety of components of IT, the rapid changes in the nature of each component, and the role of the IT
function is accommodated because the RDS can be reused when required. Specific areas from the outsourcing of the IT function can be researched and this allows for comparison between risk dimensions.
The information from the RDS is qualitatively illustrated and key features include:
● limits of risk or risk tolerance that can be borne by the organization;
● relative severity of risks between the one stakeholder and another;
● areas where risk dimensions can be ‘traded’ for another;
● mix of risks and areas of high risk stress (unacceptable risk areas);
● important risk dimensions (as defined by the organization).
Risk profile snapshots at two different points in time reveal information on the effects on risks to the organization along separate dimensions as a result of these actions. The iterative process then continues and becomes an input into the risk assessment methodology, defined in the following chapters, 131
Chap-05.qxd 3/1/05 12:32 PM Page 132
Managing the Risks of IT Outsourcing
where the concepts and the tool are tested. Importantly also, the risk profile also allows the organization’s ITO governance team to steer the activities in outsourcing knowing the stresses on the risk profile relative to these risk dimensions.
It is expected that various nuances and hues on the risk landscape are discernible from the details in the case study (see Chapter 8), giving rise to points of contention. This, however, should not distract attention from the main objective of the exercise, which is to observe possible interaction between risk dimensions that arise in the outsourcing of the IT function. The use of the eight risk dimensions in Figure 3.8 needs to be verified and substantiated each time the RDS is applied.
The RDS described in the previous two chapters is a tool developed specifically for the purpose of examining risks in the ITO environment and examining risk profiles, as described earlier. The RDS was introduced in Chapter 3 to be used as the primary tool for observation of changes in risk profiles. These changes can be measured and observed by applying the RDS at specific times during the ITO exercise.